[AccessControl] Set only file permissions?

BSOD2600 · 29th February 2008, 04:45

I'm trying to set both folder and file NTFS permissions

This is what I've tried so far:

code:


        AccessControl::GrantOnFile "$INSTDIR\PHP" $WebUser "GenericRead + GenericExecute"

        AccessControl::GrantOnFile "$INSTDIR\PHP" "Everyone" "GenericRead + GenericExecute"   

        AccessControl::GrantOnFile "$INSTDIR\PHP\uploadtemp" $WebUser "GenericRead"

        AccessControl::GrantOnFile "$INSTDIR\PHP\uploadtemp" $WebUser "ReadData + WriteData + Execute"

        AccessControl::GrantOnFile "$INSTDIR\PHP\sessiondata" $WebUser "GenericRead"

        AccessControl::GrantOnFile "$INSTDIR\PHP\sessiondata" $WebUser "ReadData + WriteData + Execute"

Unfortunately, the resulting permissions are not what I want. I want the $WebUser / Everyone accounts to have Read access to all folders/files in $INSTDIR\PHP -- this is done properly.

I also want only the $WebUser account (i.e. IUSR_TEST2) to have ONLY have GenericRead permissions to the $INSTDIR\PHP\uploadtemp directory. Additionally, I want it to have Read/Write/Execute rights ONLY on files in that directory. It seems the AccessControl plugin always uses an "Apply To" of This folder, subfolders, and files. For the $INSTDIR\PHP\uploadtemp folder I want an "Apply To" of Files only.

Here is a detailed listing of the relevant applied permissions from the script above [sessiondata omitted] (used Sysinternals Accesschk tool):

code:


c:\php\sessiondata

  RW TEST2\IUSR_TEST2

        FILE_ADD_FILE

        FILE_ADD_SUBDIRECTORY

        FILE_APPEND_DATA

        FILE_EXECUTE

        FILE_LIST_DIRECTORY

        FILE_READ_ATTRIBUTES

        FILE_READ_DATA

        FILE_READ_EA

        FILE_TRAVERSE

        FILE_WRITE_DATA

        SYNCHRONIZE

        READ_CONTROL

  R  Everyone

        FILE_EXECUTE

        FILE_LIST_DIRECTORY

        FILE_READ_ATTRIBUTES

        FILE_READ_DATA

        FILE_READ_EA

        FILE_TRAVERSE

        SYNCHRONIZE

        READ_CONTROL

While it's not a really big deal they're not applied as granular as I want, it would be a good idea to apply them correctly for security reasons.

Any ideas on how to accomplish what I'm after?

Anders · 29th February 2008, 07:35

from the simple test I did

code:
CreateDirectory "$instdir\uploadtemp"

WriteIniStr "$instdir\uploadtemp\file.ini" a b c

AccessControl::GrantOnFile "$INSTDIR\uploadtemp\" $WebUser "GenericRead|GenericWrite"

pop $0

DetailPrint $0

AccessControl::DenyOnFile /NOINHERIT "$INSTDIR\uploadtemp" $WebUser "DeleteChild|AddFile|AddSubdirectory"

pop $0

DetailPrint $0

seems to work (I can edit file.ini, but not create new files, not sure if this is what you wanted, but you should be able to tweak this a bit, but from what I can tell, you have to specify the permissions for the folder/files first, then strip off permissions for just the parent folder)

BSOD2600 · 29th February 2008, 08:55

Ah, that /NOINHERIT switch should be documented more. If one doesn't use that, security isn't applied/removed correct at all on single files.

Afrow UK · 29th February 2008, 09:41

Use SetOnFile not GrantOnFile to overwrite existing access control entries of a trustee.

Stu

BSOD2600 · 2nd March 2008, 03:26

Just ran across this for another project... it would be helpful if you referenced this MSDN page in your readme / wiki

SID Strings

Afrow UK · 2nd March 2008, 16:52

This page would be a better example:
Well-known security identifiers in Windows operating systems

Stu

BSOD2600 · 3rd March 2008, 23:40

While thats true, in your examples you use "BU". That "Well-known security identifiers in Windows operating systems" page doesn't make any reference to what BU is. The page I linked to explains / lists all the options.

29th February 2008, 04:45	#1
BSOD2600 Member Join Date: Jan 2006 Location: USA Posts: 82	[AccessControl] Set only file permissions? I'm trying to set both folder and file NTFS permissions This is what I've tried so far: code: AccessControl::GrantOnFile "$INSTDIR\PHP" $WebUser "GenericRead + GenericExecute" AccessControl::GrantOnFile "$INSTDIR\PHP" "Everyone" "GenericRead + GenericExecute" AccessControl::GrantOnFile "$INSTDIR\PHP\uploadtemp" $WebUser "GenericRead" AccessControl::GrantOnFile "$INSTDIR\PHP\uploadtemp" $WebUser "ReadData + WriteData + Execute" AccessControl::GrantOnFile "$INSTDIR\PHP\sessiondata" $WebUser "GenericRead" AccessControl::GrantOnFile "$INSTDIR\PHP\sessiondata" $WebUser "ReadData + WriteData + Execute" Unfortunately, the resulting permissions are not what I want. I want the $WebUser / Everyone accounts to have Read access to all folders/files in $INSTDIR\PHP -- this is done properly. I also want only the $WebUser account (i.e. IUSR_TEST2) to have ONLY have GenericRead permissions to the $INSTDIR\PHP\uploadtemp directory. Additionally, I want it to have Read/Write/Execute rights ONLY on files in that directory. It seems the AccessControl plugin always uses an "Apply To" of This folder, subfolders, and files. For the $INSTDIR\PHP\uploadtemp folder I want an "Apply To" of Files only. Here is a detailed listing of the relevant applied permissions from the script above [sessiondata omitted] (used Sysinternals Accesschk tool): code: c:\php\sessiondata RW TEST2\IUSR_TEST2 FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_APPEND_DATA FILE_EXECUTE FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_TRAVERSE FILE_WRITE_DATA SYNCHRONIZE READ_CONTROL R Everyone FILE_EXECUTE FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_DATA FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROL While it's not a really big deal they're not applied as granular as I want, it would be a good idea to apply them correctly for security reasons. Any ideas on how to accomplish what I'm after?

29th February 2008, 07:35	#2
Anders Moderator Join Date: Jun 2002 Location: ${NSISDIR} Posts: 2,776	from the simple test I did code: CreateDirectory "$instdir\uploadtemp" WriteIniStr "$instdir\uploadtemp\file.ini" a b c AccessControl::GrantOnFile "$INSTDIR\uploadtemp\" $WebUser "GenericRead\|GenericWrite" pop $0 DetailPrint $0 AccessControl::DenyOnFile /NOINHERIT "$INSTDIR\uploadtemp" $WebUser "DeleteChild\|AddFile\|AddSubdirectory" pop $0 DetailPrint $0 seems to work (I can edit file.ini, but not create new files, not sure if this is what you wanted, but you should be able to tweak this a bit, but from what I can tell, you have to specify the permissions for the folder/files first, then strip off permissions for just the parent folder) IntOp $PostCount $PostCount + 1

29th February 2008, 09:41	#4
Afrow UK Moderator Join Date: Nov 2002 Location: Birmingham, England Posts: 8,202	Use SetOnFile not GrantOnFile to overwrite existing access control entries of a trustee. Stu Need an installer? http://www.afrowsoft.co.uk

2nd March 2008, 16:52	#6
Afrow UK Moderator Join Date: Nov 2002 Location: Birmingham, England Posts: 8,202	This page would be a better example: Well-known security identifiers in Windows operating systems Stu Need an installer? http://www.afrowsoft.co.uk

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

29th February 2008, 08:55	#3
BSOD2600 Member Join Date: Jan 2006 Location: USA Posts: 82	Ah, that /NOINHERIT switch should be documented more. If one doesn't use that, security isn't applied/removed correct at all on single files.

2nd March 2008, 03:26	#5
BSOD2600 Member Join Date: Jan 2006 Location: USA Posts: 82	Just ran across this for another project... it would be helpful if you referenced this MSDN page in your readme / wiki SID Strings

3rd March 2008, 23:40	#7
BSOD2600 Member Join Date: Jan 2006 Location: USA Posts: 82	While thats true, in your examples you use "BU". That "Well-known security identifiers in Windows operating systems" page doesn't make any reference to what BU is. The page I linked to explains / lists all the options.